Cyber security is creating significant cyber insecurity: new EU regulation only adds to the anxiety

April 2017 | SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

April 2017 Issue

In a survey just released by the Economist Intelligence Unit, 53 percent of the executives that were asked what type of crisis had the greatest impact on their firm’s reputation cited cyber attacks. And when asked which crisis threatened financial value, 60 percent cited cyber attacks. Cyber attacks accounted for more corporate crises than all the other categories combined. It is against this backdrop that new and sweeping EU regulation will add more complexity to data privacy and security compliance.

In January 2017, the European Commission unveiled policy initiatives on data that seek to strengthen privacy rules and boost the European Union’s (EU) data economy. This package, which EU commissioner Andrus Ansip terms “the last major Digital Single Market initiative”, includes the regulation on Privacy and Electronic Communications. Itcomplements the ambitious General Data Protection Regulation adopted in May 2016 that gives citizens back the control of their personal data by ensuring the same level of trust and security for business-to-business communication in national courts.

GDPR willput privacy back on the map in Europe because the ‘consent of users’ anchors the new regulation. Indeed, all activities linked with data and metadata processing – including intercepting, scanning or storing – requires users’ explicit consent. The regulation also would give full control to users on their privacy settings. So, users will no longer have to click on cookies banners but will set their own level of protection in their internet browser.

Under the new regulation, which goes into full effect on 25 May 2018, the advertising sector and its revenues would be highly affected, unless the regulation does not prohibit targeted online ads. Similarly, spam and direct marketing communications also would require users’ consent. The price tag for noncompliance is high. Companies failing to respect users’ consent could be fined up to €10m, or 2 percent of their annual turnover. Communicators should expect heightened scrutiny from the public, regulators and the US

GDPR rules and requirements

The following is a summary checklist of GDPR rules and requirements: (i) a single, pan-European law for data protection replaces an inconsistent patchwork of national laws; (ii) a single supervisory authority would oversee companies; (iii) companies that discover an incident would have to inform consumers as soon as possible and regulators within 72 hours of the discovery; (iv) companies are encouraged to adopt ‘data protection by design’ and ‘data protection by default’, with data-protection safeguards built into products and services from the earliest stage of development; privacy-friendly default settings would become the norm; (v) a company outside the EU that offers services to customers in the EU or monitors behaviour of EU data subjects would fall under the GDPR’s rules; (vi) data protection authorities can fine companies that do not comply with EU rules up to 4 percent of their global annual turnover; and (vii) despite exiting the EU, the UK will be fully compliant under GDPR; the regulations might even be strengthened in the UK and a certification mark established for organisations that the UK’s independent Information Commissioner’s Office ranks as compliant.

When the full regulation goes into effect, companies will be required to demonstrate that they have established mechanisms to protect customers’ data as well as show that they have adopted a full and comprehensive approach to communicating data breaches to the fullest extent possible. This aims to provide compelling support that EU customer data is safe no matter where it is stored worldwide. It also strives to deliver full transparency and disclosure when the government requests customer data in accordance with specific procedures and investigative circumstances.

Failing to prepare means preparing to fail

Reflecting the unprecedented breadth and scope of GDPR in the data privacy security domain, training is essential. It is necessary to identify flaws and vulnerabilities both in the planning process and when the regulation goes fully into effect. For many organisations, this will be a new process that requires them to develop stress testing processes, identify key internal and external stakeholders, ensure they work together efficiently and make sure the regulation’s scope is fully understood.

Consequently, EU companies and those non-EU companies that store information on EU citizens should begin immediately to develop communications response plans in the probable event that a data security event will occur. The planning process must account for the unique circumstances that arise when international data breaches involve multiple jurisdictions.

Top 10 list of ‘to dos’

First, ensure that compliance auditing extends beyond the EU and to all jurisdictions where relevant data is stored and determine the type of data retained on European citizens.

Second, consider how data retained on EU citizens can be centralised and segmented from other company information; in practice, this could help ensure that a data breach in one market does not have a large and material impact on another.

Third, extend the incident response team to include similar counterparts in Europe, involving both internal and external partners; this should encompass legal, communications, customer care and forensics IT.

Fourth, map out the process to be followed for developing and approving internal and external communications, including a well-defined approval hierarchy; ensure that regional teams recognise that they cannot change the messaging once approved.

Fifth, cover all audiences in the planning process including employees, customers, regulators and business partners.

Sixth, determine the point person for relaying an incident to the data protection authorities in Europe and communicating how the company plans to position an incident still under investigation.

Seventh, prepare templated materials that include draft communications materials with content placeholders; holding statements for a variety of incident types; a public Q&A document to address questions from customers, investors and the media; a letter to customers from company leadership; and an internal memo to employees.

Eighth, develop the capability to send out notifications in multiple languages and across the various jurisdictions in a timely manner; it is recommended to find a vendor who can help with this ahead of time.

Ninth, identify the global knowledge base and service capabilities of key third-party legal counsel, forensic investigators, communications firms and notification providers; this can include awareness of the breach laws in different countries as well as the ability to establish multilingual call centers.

Finally, test the established communications process through a simulation for key executives to gauge the company’s ability and capacity to manage multi-variable risk and communications challenges, including media leaks, customer complaints, questions from employees and enquiries from EU data protection authorities.

Conclusion

While the trajectory and proliferation of cyber crime is challenging to predict or model, cyber criminals will continue to outpace the practical ability of businesses to insulate themselves from the financial and reputational impact of a cyber attack. It truly is a ‘when’ not an ‘if’. And while, per The Economist, the number of companies that have purchased cyber insurance to hedge the financial risk has grown by 85 percent over the past five years, reputation risk cannot be hedged.

Harlan Loeb is the global practice chair for reputation risk & crisis management at Edelman. He can be contacted on +1 (312) 240 2624 or by email: harlan.loeb@edelman.com.